[3.7] pdns: Missing check on API operations (CVE-2017-15091)
An issue has been found in the API component of PowerDNS
Authoritative,
where some operations that have an impact on the state of the server
are still allowed even though the API has been configured as read-only
via the `api-readonly` keyword.
This missing check allows an attacker with valid API credentials could
flush the cache, trigger a zone transfer or send a NOTIFY.
Affects:
PowerDNS Authoritative up to and including 4.0.4, 3.4.11
Not affected:
PowerDNS Authoritative 4.0.5
References:
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html
http://openwall.com/lists/oss-security/2017/11/27/1
(from redmine: issue id 8251, created on 2017-12-07, closed on 2017-12-15)
- Relations:
- parent #8249 (closed)
- Changesets:
- Revision 11695c47 by Francesco Colista on 2017-12-15T13:49:10Z:
community/pdns: security upgrade to 4.0.5 (CVE-2017-15091). Fixes #8251